Wireless Insecurity

Every business should be lucky enough to get a visit from a friendly hacker like Jeff Schmidt. On July 27, Schmidt tried out a brand-new wireless LAN card on his laptop at work. He didn't expect anything to happen, because his organization's wireless LAN wasn't up and running yet. But to his surprise, he was able to connect without any trouble to the network of an office down the street.

Oops.

Rather than swipe passwords from the other office's domain name server, Schmidt called the office to warn it. It shut down its wireless hub shortly thereafter, he says.

Schmidt, a network engineer at the U.S. Department of Agriculture in New Orleans, provided printouts of his communications with the other office, which he declined to name.

"Imagine our surprise when their hub instantly returned my signal," Schmidt says. "Since the other office was still using the factory defaults on its wireless hub, I connected just fine. No hacking, no planning - just plain, dumb chance."

Chance played a key role in Schmidt's penetration of an outside network, but analysts say wireless LANs can be easily accessed by neighbors - friendly or not - and need strong protection.

According to analysts, information technology managers can provide robust security by making sure wireless users are authenticated, preferably with a user name and password as well as a token. They also say encryption should be used end-to-end in a connection.

Security can even be made strong enough to allow purchases or money transfers over the Web, banks and retailers say.

Secure - For Now

"We feel very comfortable with our wireless security, and we feel our equipment is secure," says Mark Ebel, director of digital communication services at BestBuy.com, a division of Best Buy Co. in Eden Prairie, Minn.

"However, we do believe we have to get better at security than today's approach, because if we don't do something, we know the hackers will find ways to get better," he adds.

BestBuy.com is about to launch wireless purchasing on its Web site. The system has worked well in tests but hasn't been launched yet because the company has been tweaking other features of the site that aren't related to security.

Banks such as Wachovia Corp. in Winston-Salem, N.C., are confident enough about wireless security to plan a rollout of banking services for consumers and businesses by year's end [News, July 17].

One group that has already gone wireless is 500 attorneys at Paul Hastings Janosky and Walker LLP in Los Angeles. The lawyers send e-mail wirelessly via Research in Motion Ltd. (RIM) BlackBerry personal digital assistants, which resemble pagers with small keyboards. They started using the devices last October.

"They have been an invaluable tool for the lawyers, and a lot of them travel," says Mary Odson, CIO at Paul Hastings. "We carefully evaluated the RIMs and the network, since security with legal matters was one of the most important components.''

Banking on Wireless

Encrypting connections from end to end requires a developer to consider every device used to access a network, users and analysts say. In addition, the security standards of each wireless network carrier must be understood.

To deal with this complexity, Wachovia chose 724 Solutions Inc. in Toronto to help it develop wireless banking applications, says Lawrence Baxter, head of e-business at Wachovia.

But when Fidelity Investments in Boston started making wireless transactions in 1998, applications had to be built in-house because the technology was still relatively rare, as was outside expertise in it, says Joe Ferra, senior vice president of Fidelity Online Brokerage, which has more than 70,000 wireless users on various devices.

Ferra says that as a result of internal evaluations and reports in the security community, Fidelity doesn't trust the current Wireless Application Protocol (WAP) standard, known as WAP 1.1, for wireless transactions. Instead, Fidelity relies on encryption and authentication developed using the Handheld Device Markup Language.

Many analysts say they agree that WAP 1.1 presents problems, because a wireless transmission is vulnerable to a hack at the WAP gateway server. Under the current standard, the WAP gateway server sits inside the premises of the wireless carrier.

Three analysts - John Pescatore at Gartner Group Inc. in Stamford, Conn.; Alan Paller, director of research at the SANS Institute in Bethesda, Md.; and Alan Reiter at Wireless Internet and Mobile Computing in Chevy Chase, Md. - say there's a small but real threat that a sophisticated hacker could enter a WAP gateway server to steal data. That's because the gateway server decrypts the wireless transmission for a moment before re-encrypting it for the wired network.

However, Phone.com Inc. in Redwood City, Calif., a founding member of the WAP Forum, argues that despite this possibility, the level of security is "really quite high," says Roger Snyder, senior product manager at Phone.com. It's high enough, he notes, for the Bank of Montreal in Toronto, Amazon.com Inc. in Seattle and others to have launched wireless transaction services.

Pescatore and other analysts say WAP 1.3, which is scheduled to be available next year, will eliminate the decryption pause. According to Snyder, a WAP proxy server in a bank or other business will tell a wireless network server that a user was authorized to do business directly with the bank's server.

Sabre Holdings Corp. in Fort Worth, Texas, announced a service last month that will give travelers wireless access from any device, says Cindy Groner, director of wireless services at Sabre. To avoid problems with WAP 1.1 or other vulnerabilities, she says, none of the user's credit information is passed over the wireless network. Instead, it sits on the Sabre back end.

Wireless Real Estate

At Colliers Arnold Commercial Investment Brokerage in Tampa, Fla., testing is under way to provide agents with wireless access to proprietary information on commercial real estate properties, says CEO Lee Arnold.

Colliers Arnold is using Palm VII handhelds operating on Santa Clara, Calif.-based Palm Inc.'s Palm.net network, which uses a proprietary algorithm to encrypt data throughout the transaction, Arnold says.

The other main vulnerability of wireless transmissions, analysts say, is the lack of authentication - ensuring that a user is who he says he is.

Analysts say they worry that user names and passwords don't provide sufficient security, especially for sensitive information. Analysts and customers considering wireless banking say they're looking forward to the day when smart phones come equipped with a separate token, such as a smart card, to authenticate a user's identity. So far, banks aren't using a separate token device and instead are depending on digital certificates for wireless authentication, analysts say.

Some cell phones on the market today include Subscriber Identify Modules (SIM), which will work with later versions of the WAP specification to create what's called a Wireless Identity Module (WIM). That WIM will store a digital certificate and its associated private key.

Visa International Inc. in Foster City, Calif., is working with phone maker Nokia Corp. and Meritanordbanken Group, both in Finland, on a phone that includes a slot for a SIM identification device.

Pescatore says this technology is of limited use, since anyone who has the phone can pretend to be the legitimate user if he also has the personal identification number (PIN) to activate it.

In lieu of authentication with a token, the handhelds from RIM in Waterloo, Ontario, require a user name and new password at set intervals. Perhaps a more important protection, says Odson at Paul Hastings, is that employees know they shouldn't be putting confidential information in e-mail messages anyway.

Analysts say authentication will improve as biometric devices such as fingerprint readers are used instead of PINs, but such devices won't be common before 2004.

Avoiding Trouble

Pescatore says the absence of authentication technology means IT managers must depend on user names and passwords. Because cell phone keypads make it hard to enter alphabetical passwords, IT managers should require longer numeric sequences than they're used to and update them frequently, analysts say.

Pescatore urges IT managers to invest in intrusion-detection software for all servers exposed to wireless applications, such as the New Orleans network Schmidt stumbled into with his wireless LAN card. Specifically, the office Schmidt entered should have put its wireless adapter on a LAN switch on a separate segment and not on a hub.

But even some companies that are moving bravely to wireless e-commerce realize the limitations on security. "We are very concerned about mobile Internet security, period," says Joe Chouinard, vice president of new e-commerce channels at Visa.

For more security coverage, visit our Security Watch community.

Copyright © 2000 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon